Overview
overview
10Static
static
3cerber.exe
windows10-2004-x64
10cryptowall.exe
windows10-2004-x64
3jigsaw.exe
windows10-2004-x64
10Locky.exe
windows10-2004-x64
10131.exe
windows10-2004-x64
1Matsnu-MBR...3 .exe
windows10-2004-x64
3027cc450ef...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows10-2004-x64
10myguy.hta
windows10-2004-x64
3svchost.exe
windows10-2004-x64
7Ransomware...oad.sh
windows10-2004-x64
3Ransomware...est.py
windows10-2004-x64
3Ransomware...st2.py
windows10-2004-x64
3Ransomware...rna.py
windows10-2004-x64
3Analysis
-
max time kernel
1353s -
max time network
1162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 15:25
Static task
static1
Behavioral task
behavioral1
Sample
cerber.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral2
Sample
cryptowall.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
jigsaw.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
Locky.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
131.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral6
Sample
Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral7
Sample
027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20231130-en
Behavioral task
behavioral8
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
myguy.hta
Resource
win10v2004-20231127-en
Behavioral task
behavioral10
Sample
svchost.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral11
Sample
Ransomware-master/etc/load.sh
Resource
win10v2004-20231127-en
Behavioral task
behavioral12
Sample
Ransomware-master/test.py
Resource
win10v2004-20231127-en
Behavioral task
behavioral13
Sample
Ransomware-master/test2.py
Resource
win10v2004-20231130-en
Behavioral task
behavioral14
Sample
Ransomware-master/warna.py
Resource
win10v2004-20231130-en
General
-
Target
Ransomware-master/test.py
-
Size
186B
-
MD5
f5c90d7b70869e8de04c7d7e3051dea9
-
SHA1
93cf6fd3b58cfa7e9ccb7c88bd2cccd65a4d4be7
-
SHA256
4bfe4b8e987cae3539dddec1fc0732a7b1195768f0c8ff3352dccd4fa76bc249
-
SHA512
64d5aaaa1bcbb17eff100bc83d1020660b6e4b6734f99bd5017e0d895753b70619bafd63809b72768815ce1ad1cc80fecd41e8414b1498201bd310dfed213d25
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3516 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1600 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Ransomware-master\test.py1⤵
- Modifies registry class
PID:4496
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1600
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516